question

HannaH021-9125 avatar image
0 Votes"
HannaH021-9125 asked surabhimathur commented

How to grant third party access to Azure apps

Hi

I've been searching for a while, and I know I can't be the only one trying to do this. I need to come up with a pattern for granting third party access to APIs exposed using Azure API mgmt.
The scenarios are


  • We are Tenant A, and we have a client on Tenant B. Our APIs in Tenant A have an app registration that is advertised as multitenant. What should happen on Tenant B? I've seen few posts saying create the client in Tenant A and give the credentials to the third party, but this is a problem, because (1) we can't hold the third party accountable when we know the credentials, they can deny any wrong doing, and (2) we have to manage the credentials and rotate them to remain compliant with our password policy. We want to be able to create the app registration in Tenant B, and let them manage their own credentials but still have access to our APIs. Is there a step by step to do this in Azure documentations?

  • We have Tenant A, and a customer that uses OKTA for IDP not Azure AD. How do we go about granting them access to our APIs?

Thanks

azure-ad-authentication
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


For scenario 1. In the tenant A , you should already have an App registration for the API app . As you have already registered it as a multi-tenant application so when anyone from Tenant B accesses this app it will automatically create a service principle for this within Tenant B .( you can check this in enterprise apps section on portal . ) On the tenant A where the API app is registered. you need to make sure that the Expose an API section has the scopes and the API URL defined and you are using a verified domain in Tenant A for the API URL only . You will also need to make sure that the Implicit auth settings for the app are defined in the Authentication > Implicit grant and hybrid flows > Check both Access token and ID token or check as per your requirements. Once you have done all this . You need to have the global admin of the Tenant B use a URL to access this app . Since it is multi-tenant , it should not be a problem.


0 Votes 0 ·

For accessing the App , create the URL like following using the client ID of the API app from tenant A .

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<client ID of the application in Tenant A>&response_type=token&redirect_uri=<URI for your API>&state=1234&response_mode=fragment&scope=<approved scope as defined in the registered API >

The above will create a service principal of API app from Tenant A in tenant B. The global admin can consent the app for everyone in the organisation (i.e. all tenant B users) .

For Scenario 2 . I am not sure how this will play out with Okta as IDP . I guess even if Okta is IDP the customer still would have Azure AD as a user store /credential provider. SO there may be some way in Okta to register service principal of the multi-tenant Azure AD API app but I dont know how that would work.

0 Votes 0 ·

0 Answers